28 Commits

Author	SHA1	Message	Date
h3xduck	e881502ffa	Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it	2022-04-09 14:17:09 -04:00
h3xduck	621e42e2e8	Changed shellcode to include backup of registers and stuck. Now prevents stack smashing detection via the stack canaries	2022-04-07 19:47:53 -04:00
h3xduck	be5605db5f	Introduced shellcode and finished code cave writing and injection. RELRO working	2022-04-07 11:54:24 -04:00
h3xduck	3455b80010	Merge branch 'injection' of https://github.com/h3xduck/TFG into injection. Messed up with branches, clearing up	2022-04-07 07:14:54 -04:00
h3xduck	3438f5846f	Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated	2022-04-07 07:11:28 -04:00
h3xduck	e6ddb3373e	Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated	2022-04-05 20:21:59 -04:00
h3xduck	96cfda8c1f	Finished RELRO adaptation.	2022-04-04 18:04:34 -04:00
h3xduck	748062f464	Adapted memory analysis to larger memory addresses inside the virtual address space. Solved bugs and others, adapting code for RELRO.	2022-04-04 17:07:45 -04:00
h3xduck	8f28c3a883	Updated helpers and added resources to help with lib injection	2022-03-24 15:40:05 -04:00
h3xduck	9dff5e71dc	Included offset and extraction of interesting functions	2022-03-17 21:41:40 -04:00
h3xduck	0fbcb8bdf7	Fixed probe not probing correct syscall entry	2022-03-17 19:36:25 -04:00
h3xduck	fcf43ff180	Finished extraction of return address from the stack, and libc syscall adress	2022-03-17 19:32:32 -04:00
h3xduck	9647972531	Finished extraction of stack return address	2022-03-17 13:18:19 -04:00
h3xduck	671e2d671d	Added extraction of original jump instruction and opcodes	2022-03-15 18:36:59 -04:00
h3xduck	0c88d5baa9	Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack.	2022-03-03 05:53:51 -05:00
h3xduck	e64839f080	Added new libc symbols extraction	2022-03-02 19:00:50 -05:00
h3xduck	805fa760cf	Corrected issues of opening directories without permission in execve helper	2022-02-24 19:53:11 -05:00
h3xduck	b182ac1eeb	Added new TC module, updates to the exec hooking system and the userland module	2022-02-20 16:50:15 -05:00
h3xduck	1ec4ed8486	Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper	2022-02-19 11:57:32 -05:00
h3xduck	8e97624326	Improved the pricvesc module which used sudo, now correctly working when the user already has sudo with password capabilities. Now the rootkit userspace helper is correctly launching with root permissions	2022-02-19 11:08:56 -05:00
h3xduck	130364e6ab	Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted	2022-02-18 09:08:54 -05:00
h3xduck	2ae705f037	Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor	2022-02-14 20:08:30 -05:00
h3xduck	edbaf09c06	Completed execve hijacking, as with special error cases that arise and that are documented in the code.	2022-02-14 17:45:07 -05:00
h3xduck	044c85f3ff	Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done	2022-02-06 14:15:57 -05:00
h3xduck	41ef733520	Completed faking that an user is in the sudoers file. Now user 'test' can use sudo without being there	2022-02-05 14:10:12 -05:00
h3xduck	643783004a	Added new hooks and updated map fields to support new sudo module.	2022-02-05 13:49:20 -05:00
h3xduck	2b50d376a6	Updated function and configurator manager names to the used hook.	2022-01-26 13:04:23 -05:00
h3xduck	3832d99af1	Updated file names and directory structure to the new multi-modules rootkit	2022-01-16 06:56:54 -05:00